Windows 10 to get two-factor authentication built-in

Microsoft is continuing its crusade to get CIOs interested in Windows 10, touting new security features that include two-factor authentication built directly into the OS.

Microsoft is continuing its crusade to get CIOs interested in Windows 10, touting new security features that include two-factor authentication built directly into the OS.

The effort to bake two-factor authentication into Windows 10 is intended at doing away with the old single-password method that has proven so insecure in recent years and has led to so many instances of system break-ins and data theft, according to Microsoft. With two-factor authentication, malicious hackers need to be in control of two pieces of information in order to break into a system, such as a password and a code sent to a user's device like a smartphone.

Overall, Windows 10 will offer businesses enhanced security in areas like identity protection and access control, information protection and threat resistance, since security "has been central to many of the customer conversations I've had since we announced the availability of the [Windows 10] Technical Preview," wrote Jim Alkove in the blog post, referring to the pre-release version of Windows 10 that is publicly available for testing.

In the area of identity and access control, Windows 10 will offer IT managers the necessary functions to protect user credentials and devices with two-factor authentication, without having to rely on third-party products, he wrote.

"We believe this solution brings identity protection to a new level as it takes multi-factor security which today is limited to solutions such as smartcards and builds it right into the operating system and device itself, eliminating the need for additional hardware security peripherals," Alkove wrote.

More specifically, Windows 10 will let users enroll their devices as one of the two authentication factors, with the second being either a pin or a biometric input, such as the reading of a fingerprint.

"From a security standpoint, this means that an attacker would need to have a user's physical device — in addition to the means to use the user's credential — which would require access to the users PIN or biometric information," he wrote.

The credential can be either a key pair generated by Windows, or a certificate provisioned for the device by a company's existing PKI system. "Providing both of these options makes Windows 10 great for organizations with existing PKI investments and it makes it viable for the web and consumer scenarios where PKI backed identity isn't practical," he wrote.

The new user credentialing system will be supported by Microsoft's Active Directory, Azure Active Directory, and consumer Microsoft Accounts "so enterprises and consumers using Microsoft online services will quickly be able to move away from passwords."

Windows 10 will also have features to protect the user access tokens generated as part of the authentication process, so that they're not vulnerable to techniques like Pass the Hash coupled with advanced persistent threats.